Tellmeweb
Jump to navigation
Jump to search
Description
TellMeWeb is a Ruby script written by Aung Khant from YGN Ethical Hacker Group.
It takes nmap output (-oG) generated together with -sV option. It takes all hosts with http & https ports open. Then it feeds them into whatweb.
Brendan Coles wrote a similar script in bash which runs whatweb in all ports: https://gist.github.com/798148.
Installation
Prerequisites
You must first:
Download TellMeWeb
$ mkdir -p /pentest/enumeration/web/ $ cd /pentest/enumeration/web/ $ svn co http://tellmeweb.googlecode.com/svn/trunk/ tellmeweb
Configuration
Go to tellmeweb installation directory:
$ cd /pentest/enumeration/web/tellmeweb/
then edit the configuration file to specify the location of whatweb:
$ vim whatweb.config
Ensure the location of whatweb is correct and eventually modify other options:
$whatweb = '/pentest/enumeration/www/WhatWeb/whatweb' $whatweb_opt = ' -U "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" --follow-redirect=never -v ' $whatweb_aggressive = ' -a 4 -r '
Usage
Syntax
$ ruby tell-me-web.rb <nmap-out-file-in-gnmap-format> [A]
Options
- A
- Aggressive mode (for more information, see WhatWeb options)
Example
Nmap scan
First we do a Nmap scan with version detection (-sV) and script kiddie output (-oG):
$ sudo nmap -sS -sV -oG nmap-scan 192.168.100.24 Starting Nmap 5.36TEST4 ( http://nmap.org ) at 2011-02-20 09:58 CET Nmap scan report for 192.168.100.24 Host is up (0.021s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0) 80/tcp open http Apache httpd 2.2.17 ((Unix) PHP/5.3.5) 111/tcp open rpcbind 2 (rpc #100000) 3306/tcp open mysql MySQL 5.5.8 MAC Address: 00:0C:29:31:85:0F (VMware) Service Info: OS: Linux Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.14 seconds
Tellmeweb scan
The tests have been run against Joomla 1.6 (latest available version in the time of this writing). Tell me web (Whatweb) successfully detects Joomla:
$ ruby tell-me-web.rb nmap-scan ============================================================= Tell Me Web? - Automating WhatWeb from NMap Output (c) Aung Khant, aungkhant[at]yehg.net YGN Ethical Hacker Group, Myanmar, http://yehg.net/ svn co http://tellmeweb.googlecode.com/svn/trunk/ tellmeweb ============================================================= **Current -> 192.168.100.24:80 log file as 192.168.100.24_80.whatweb 192.168.100.24/ [200] http://192.168.100.24:80 [200] X-Powered-By[PHP/5.3.5], IP[192.168.100.24], Cookies[11c7e8fbc65c24906871f08925a4f140], PasswordField[password], Title[Accueil], maybe Joomla, Apache[2.2.17], HTTPServer[Apache/2.2.17 (Unix) PHP/5.3.5], AtomFeed[/index.php?format=feed&type=rss], Country[ZZ], PHP[5.3.5], MetaGenerator[Joomla! 1.6 - Open Source Content Management] X-Powered-By => x-powered-by string (string: PHP/5.3.5) IP => IP (string: 192.168.100.24) Cookies => cookie names (string: 11c7e8fbc65c24906871f08925a4f140) PasswordField => rss link type, field name (string: password) Title => page title (string: Accueil) Joomla => P3P Privacy Headers (certainty: 25) Apache => HTTP Server Header, (version: 2.2.17) HTTPServer => server string (string: Apache/2.2.17 (Unix) PHP/5.3.5) AtomFeed => atom link type, atom link (string: /index.php?format=feed&type=rss) Country => (string: ZZ) PHP => (version: 5.3.5), (version: 5.3.5) MetaGenerator => (string: Joomla! 1.6 - Open Source Content Management) 192.168.100.24/ [200] http://192.168.100.24:80 [200] X-Powered-By[PHP/5.3.5], IP[192.168.100.24], Cookies[11c7e8fbc65c24906871f08925a4f140], PasswordField[password], Title[Accueil], maybe Joomla, Apache[2.2.17], HTTPServer[Apache/2.2.17 (Unix) PHP/5.3.5], AtomFeed[/index.php? format=feed&type=rss], Country[ZZ], PHP[5.3.5], MetaGenerator[Joomla! 1.6 - Open Source Content Management] X-Powered-By => x-powered-by string (string: PHP/5.3.5) IP => IP (string: 192.168.100.24) Cookies => cookie names (string: 11c7e8fbc65c24906871f08925a4f140) PasswordField => rss link type, field name (string: password) Title => page title (string: Accueil) Joomla => P3P Privacy Headers (certainty: 25) Apache => HTTP Server Header, (version: 2.2.17) HTTPServer => server string (string: Apache/2.2.17 (Unix) PHP/5.3.5) AtomFeed => atom link type, atom link (string: /index.php?format=feed&type=rss) Country => (string: ZZ) PHP => (version: 5.3.5), (version: 5.3.5) MetaGenerator => (string: Joomla! 1.6 - Open Source Content Management)
Log files
Go to the logs/ directory. An example on host 192.168.100.24, port 80/tcp:
$ cat 192.168.100.24_80.whatweb
Identifying: http://192.168.100.24:80
HTTP-Status: 200
[["X-Powered-By",
[{:name=>"x-powered-by string", :certainty=>100, :string=>"PHP/5.3.5"}]],
["IP", [{:name=>"IP", :certainty=>100, :string=>"192.168.100.24"}]],
["Cookies",
[{:name=>"cookie names",
:certainty=>100,
:string=>["11c7e8fbc65c24906871f08925a4f140"]}]],
["PasswordField",
[{:regexp=>/<input [^>]*?type=["']password["'].*?>/i,
:regexp_compiled=>/<input [^>]*?type=["']password["'].*?>/i,
:name=>"rss link type",
:certainty=>100},
{:name=>"field name", :certainty=>100, :string=>"password"}]],
["Title", [{:name=>"page title", :certainty=>100, :string=>"Accueil"}]],
["Joomla", [{:name=>"P3P Privacy Headers", :certainty=>25}]],
["Apache",
[{:name=>"HTTP Server Header", :certainty=>100},
{:version=>[["2.2.17"]], :certainty=>100}]],
["HTTPServer",
[{:name=>"server string",
:certainty=>100,
:string=>"Apache/2.2.17 (Unix) PHP/5.3.5"}]],
["AtomFeed",
[{:regexp=>/<link .*?type=["']application\/atom\+xml["'].*?>/mi,
:regexp_compiled=>/<link .*?type=["']application\/atom\+xml["'].*?>/mi,
:name=>"atom link type",
:certainty=>100},
{:name=>"atom link",
:certainty=>100,
:string=>"/index.php?format=feed&type=rss"}]],
["Country", [{:certainty=>100, :string=>"ZZ"}]],
["PHP",
[{:version=>"5.3.5", :certainty=>100},
{:version=>"5.3.5", :certainty=>100}]],
["MetaGenerator",
[{:regexp_compiled=>
/<meta[^>]+name[\s]*=[\s]*"generator"[^>]+content[\s]*=[\s]*"([^"]+)"/i,
:regexp_offset=>0,
:certainty=>100,
:string=>["Joomla! 1.6 - Open Source Content Management"]}]]]
Identifying: http://192.168.100.24:80
HTTP-Status: 200
[["X-Powered-By",
[{:name=>"x-powered-by string", :certainty=>100, :string=>"PHP/5.3.5"}]],
["IP", [{:name=>"IP", :certainty=>100, :string=>"192.168.100.24"}]],
["Cookies",
[{:name=>"cookie names",
:certainty=>100,
:string=>["11c7e8fbc65c24906871f08925a4f140"]}]],
["PasswordField",
[{:regexp=>/<input [^>]*?type=["']password["'].*?>/i,
:regexp_compiled=>/<input [^>]*?type=["']password["'].*?>/i,
:name=>"rss link type",
:certainty=>100},
{:name=>"field name", :certainty=>100, :string=>"password"}]],
["Title", [{:name=>"page title", :certainty=>100, :string=>"Accueil"}]],
["Joomla", [{:name=>"P3P Privacy Headers", :certainty=>25}]],
["Apache",
[{:name=>"HTTP Server Header", :certainty=>100},
{:version=>[["2.2.17"]], :certainty=>100}]],
["HTTPServer",
[{:name=>"server string",
:certainty=>100,
:string=>"Apache/2.2.17 (Unix) PHP/5.3.5"}]],
["AtomFeed",
[{:regexp=>/<link .*?type=["']application\/atom\+xml["'].*?>/mi,
:regexp_compiled=>/<link .*?type=["']application\/atom\+xml["'].*?>/mi,
:name=>"atom link type",
:certainty=>100},
{:name=>"atom link",
:certainty=>100,
:string=>"/index.php?format=feed&type=rss"}]],
["Country", [{:certainty=>100, :string=>"ZZ"}]],
["PHP",
[{:version=>"5.3.5", :certainty=>100},
{:version=>"5.3.5", :certainty=>100}]],
["MetaGenerator",
[{:regexp_compiled=>
/<meta[^>]+name[\s]*=[\s]*"generator"[^>]+content[\s]*=[\s]*"([^"]+)"/i,
:regexp_offset=>0,
:certainty=>100,
:string=>["Joomla! 1.6 - Open Source Content Management"]}]]]